cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session PersistentManagerBase.java StandardManager.java StandardSession.java
jfarcand2004/11/22 08:35:18 Modified:catalina/src/share/org/apache/catalina/connector CoyoteInputStream.java InputBuffer.java OutputBuffer.java RequestFacade.java Response.java ResponseFacade.java catalina/src/share/org/apache/catalina/core ApplicationContextFacade.java ApplicationDispatcher.java ApplicationFilterChain.java StandardWrapper.java catalina/src/share/org/apache/catalina/security SecurityUtil.java catalina/src/share/org/apache/catalina/session PersistentManagerBase.java StandardManager.java StandardSession.java Log: Port patch from Tomcat 5.0: When the package protection is not used, do not create the doPrivileged objects . Revision ChangesPath 1.2 +6 -5 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/connector/CoyoteInputStream.java Index: CoyoteInputStream.java === RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/connector/CoyoteInputStream.java,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- CoyoteInputStream.java23 Jun 2004 08:24:57 - 1.1 +++ CoyoteInputStream.java22 Nov 2004 16:35:17 - 1.2 @@ -24,6 +24,7 @@ import javax.servlet.ServletInputStream; +import org.apache.catalina.security.SecurityUtil; /** * This class handles reading bytes. @@ -65,7 +66,7 @@ public int read() throws IOException { -if (System.getSecurityManager() != null){ +if (SecurityUtil.isPackageProtectionEnabled()){ try{ Integer result = @@ -94,7 +95,7 @@ public int available() throws IOException { -if (System.getSecurityManager() != null){ +if (SecurityUtil.isPackageProtectionEnabled()){ try{ Integer result = (Integer)AccessController.doPrivileged( @@ -122,7 +123,7 @@ public int read(final byte[] b) throws IOException { -if (System.getSecurityManager() != null){ +if (SecurityUtil.isPackageProtectionEnabled()){ try{ Integer result = (Integer)AccessController.doPrivileged( @@ -153,7 +154,7 @@ public int read(final byte[] b, final int off, final int len) throws IOException { -if (System.getSecurityManager() != null){ +if (SecurityUtil.isPackageProtectionEnabled()){ try{ Integer result = (Integer)AccessController.doPrivileged( @@ -193,7 +194,7 @@ */ public void close() throws IOException { -if (System.getSecurityManager() != null){ +if (SecurityUtil.isPackageProtectionEnabled()){ try{ AccessController.doPrivileged( new PrivilegedExceptionAction(){ 1.4 +2 -1 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/connector/InputBuffer.java Index: InputBuffer.java === RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/connector/InputBuffer.java,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- InputBuffer.java 29 Aug 2004 16:46:09 - 1.3 +++ InputBuffer.java 22 Nov 2004 16:35:17 - 1.4 @@ -23,6 +23,7 @@ import java.security.PrivilegedExceptionAction; import java.util.HashMap; +import org.apache.catalina.security.SecurityUtil; import org.apache.coyote.Request; import org.apache.tomcat.util.buf.B2CConverter; import org.apache.tomcat.util.buf.ByteChunk; @@ -465,7 +466,7 @@ enc = DEFAULT_ENCODING; conv = (B2CConverter) encoders.get(enc); if (conv == null) { -if (System.getSecurityManager() != null){ +if (SecurityUtil.isPackageProtectionEnabled()){ try{ conv = (B2CConverter)AccessController.doPrivileged( new PrivilegedExceptionAction(){ 1.4 +2 -1 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/connector/OutputBuffer.java Index: OutputBuffer.java === RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/connector/OutputBuffer.java,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- OutputBuffer.java 25 Ju
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session PersistentManagerBase.java StandardManager.java StandardSession.java
Remy Maucherat wrote: Jean-Francois Arcand wrote: It's not useless. Normal permissions are still turned on. It's only the package protection that is disabled. When disabled, Tomcat 5 is as unsecure as Tomcat 4 in term of sniffing/loading classes, but still secure in term of browsing the file system etc. Possibly. But I don't know what you can do with access to the Tomcat internals, and hacking the container is a bad security problem IMO. I don't see how you could want half assed security. Oh wait, there's Window$, so I guess there are takers ;) LOL BTW, Tomcat 4 did package protection. Yes. I was meaning the improvement we did 2 years ago that ends up adding all thoses doPrivileged blocks as well as the catalina.properties list. -- Jeanfrancois Rémy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session PersistentManagerBase.java StandardManager.java StandardSession.java
Jean-Francois Arcand wrote: It's not useless. Normal permissions are still turned on. It's only the package protection that is disabled. When disabled, Tomcat 5 is as unsecure as Tomcat 4 in term of sniffing/loading classes, but still secure in term of browsing the file system etc. Possibly. But I don't know what you can do with access to the Tomcat internals, and hacking the container is a bad security problem IMO. I don't see how you could want half assed security. Oh wait, there's Window$, so I guess there are takers ;) BTW, Tomcat 4 did package protection. Rémy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session PersistentManagerBase.java StandardManager.java StandardSession.java
Remy Maucherat wrote: Jean-Francois Arcand wrote: Actually, my next steps is to allows empty field in catalina.properties, which will disable the mechanism (next commit :-)). Right now you can only disable the mechanism by removing the catalina.properties or if you use the Embedded interfance. By default I still want to keep Tomcat as secure as possible, but leave the door open for disabling the mechanism. As an example, when Tomcat gets benchmarked against other unsecure container with security turned on, people will think Tomcat is slower, which is not right. I don't understand. This configuration will make security useless, so what's the point ? Why not just disable security if it's going to be useless ? It's not useless. Normal permissions are still turned on. It's only the package protection that is disabled. When disabled, Tomcat 5 is as unsecure as Tomcat 4 in term of sniffing/loading classes, but still secure in term of browsing the file system etc. -- Jeanfrancois Rémy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session PersistentManagerBase.java StandardManager.java StandardSession.java
Jean-Francois Arcand wrote: Actually, my next steps is to allows empty field in catalina.properties, which will disable the mechanism (next commit :-)). Right now you can only disable the mechanism by removing the catalina.properties or if you use the Embedded interfance. By default I still want to keep Tomcat as secure as possible, but leave the door open for disabling the mechanism. As an example, when Tomcat gets benchmarked against other unsecure container with security turned on, people will think Tomcat is slower, which is not right. I don't understand. This configuration will make security useless, so what's the point ? Why not just disable security if it's going to be useless ? Rémy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session PersistentManagerBase.java StandardManager.java StandardSession.java
[EMAIL PROTECTED] wrote: jfarcand2004/11/18 14:13:36 Modified:catalina/src/share/org/apache/catalina/core Tag: TOMCAT_5_0 ApplicationContextFacade.java ApplicationDispatcher.java ApplicationFilterChain.java StandardWrapper.java catalina/src/share/org/apache/catalina/security Tag: TOMCAT_5_0 SecurityUtil.java catalina/src/share/org/apache/catalina/session Tag: TOMCAT_5_0 PersistentManagerBase.java StandardManager.java StandardSession.java Log: When the package protection is not used, do not create the doPrivileged objects so we don't suffer the performance hit (15% faster with trade2 and this change). Also fixed a memory leak when security manager is turned on. Fixing leaks is good :) I have a question: Can it ever happen that package access is disabled ? Tomcat is probably not secure without those checks. So what is the purpose of the change exactly ? Rémy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session PersistentManagerBase.java StandardManager.java StandardSession.java
jfarcand2004/11/18 14:13:36 Modified:catalina/src/share/org/apache/catalina/core Tag: TOMCAT_5_0 ApplicationContextFacade.java ApplicationDispatcher.java ApplicationFilterChain.java StandardWrapper.java catalina/src/share/org/apache/catalina/security Tag: TOMCAT_5_0 SecurityUtil.java catalina/src/share/org/apache/catalina/session Tag: TOMCAT_5_0 PersistentManagerBase.java StandardManager.java StandardSession.java Log: When the package protection is not used, do not create the doPrivileged objects so we don't suffer the performance hit (15% faster with trade2 and this change). Also fixed a memory leak when security manager is turned on. Revision ChangesPath No revision No revision 1.10.2.3 +32 -25 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/ApplicationContextFacade.java Index: ApplicationContextFacade.java === RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/ApplicationContextFacade.java,v retrieving revision 1.10.2.2 retrieving revision 1.10.2.3 diff -u -r1.10.2.2 -r1.10.2.3 --- ApplicationContextFacade.java 1 Oct 2004 01:10:17 - 1.10.2.2 +++ ApplicationContextFacade.java 18 Nov 2004 22:13:36 - 1.10.2.3 @@ -35,6 +35,8 @@ import javax.servlet.ServletContext; import javax.servlet.ServletException; +import org.apache.catalina.security.SecurityUtil; + /** * Facade object which masks the internal ApplicationContext @@ -118,7 +120,7 @@ public ServletContext getContext(String uripath) { ServletContext theContext = null; -if (System.getSecurityManager() != null) { +if (SecurityUtil.isPackageProtectionEnabled()) { theContext = (ServletContext) doPrivileged("getContext", new Object[]{uripath}); } else { @@ -143,7 +145,7 @@ public String getMimeType(String file) { -if (System.getSecurityManager() != null) { +if (SecurityUtil.isPackageProtectionEnabled()) { return (String)doPrivileged("getMimeType", new Object[]{file}); } else { return context.getMimeType(file); @@ -152,7 +154,7 @@ public Set getResourcePaths(String path) { -if (System.getSecurityManager() != null){ +if (SecurityUtil.isPackageProtectionEnabled()){ return (Set)doPrivileged("getResourcePaths", new Object[]{path}); } else { return context.getResourcePaths(path); @@ -179,7 +181,7 @@ public InputStream getResourceAsStream(String path) { -if (System.getSecurityManager() != null) { +if (SecurityUtil.isPackageProtectionEnabled()) { return (InputStream) doPrivileged("getResourceAsStream", new Object[]{path}); } else { @@ -189,7 +191,7 @@ public RequestDispatcher getRequestDispatcher(final String path) { -if (System.getSecurityManager() != null) { +if (SecurityUtil.isPackageProtectionEnabled()) { return (RequestDispatcher) doPrivileged("getRequestDispatcher", new Object[]{path}); } else { @@ -199,7 +201,7 @@ public RequestDispatcher getNamedDispatcher(String name) { -if (System.getSecurityManager() != null) { +if (SecurityUtil.isPackageProtectionEnabled()) { return (RequestDispatcher) doPrivileged("getNamedDispatcher", new Object[]{name}); } else { @@ -210,7 +212,7 @@ public Servlet getServlet(String name) throws ServletException { -if (System.getSecurityManager() != null) { +if (SecurityUtil.isPackageProtectionEnabled()) { try { return (Servlet) invokeMethod(context, "getServlet", new Object[]{name}); @@ -227,7 +229,7 @@ public Enumeration getServlets() { -if (System.getSecurityManager() != null) { +if (SecurityUtil.isPackageProtectionEnabled()) { return (Enumeration) doPrivileged("getServlets", null); } else { return context.getServlets(); @@ -236,7 +238,7 @@ public Enumeration getServletNames() { -if (System.getSecurityManager() != null) { +if (SecurityUtil.isPackageProtectionEnabled()) { return (Enumeration) doPrivileged("getServletNames", null); } else {
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session PersistentManagerBase.java StandardManager.java StandardSession.java StoreBase.java
luehe 2003/08/18 17:49:58 Modified:catalina/src/share/org/apache/catalina/session PersistentManagerBase.java StandardManager.java StandardSession.java StoreBase.java Log: Fixed Bugtraq 4839736 ("HttpSession.setMaxInactiveInterval() doesn't behave as expected") Patch provided by [EMAIL PROTECTED] The following test case used to fail intermittently, due to a race condition between the 2nd session access and the background thread that invalidates expired sessions: HttpSession session1 = req.getSession(); session1.setMaxInactiveInterval(5); try { Thread.sleep(10 * 1000); } catch (InterruptedException e) { e.printStackTrace(); } HttpSession session2 = req.getSession(false); if (session2 == null) { // SUCCESS } else { // FAIL!! } Revision ChangesPath 1.9 +11 -36 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session/PersistentManagerBase.java Index: PersistentManagerBase.java === RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session/PersistentManagerBase.java,v retrieving revision 1.8 retrieving revision 1.9 diff -u -r1.8 -r1.9 --- PersistentManagerBase.java8 Jul 2003 06:28:02 - 1.8 +++ PersistentManagerBase.java19 Aug 2003 00:49:58 - 1.9 @@ -835,8 +835,7 @@ if (session == null) return (null); -if (!session.isValid() -|| isSessionStale(session, System.currentTimeMillis())) { +if (!session.isValid()) { log.error("session swapped in is invalid or expired"); session.expire(); removeSession(id); @@ -867,10 +866,9 @@ */ protected void swapOut(Session session) throws IOException { -if (store == null || -!session.isValid() || -isSessionStale(session, System.currentTimeMillis())) +if (store == null || !session.isValid()) { return; +} ((StandardSession)session).passivate(); writeSession(session); @@ -887,10 +885,9 @@ */ protected void writeSession(Session session) throws IOException { -if (store == null || -!session.isValid() || -isSessionStale(session, System.currentTimeMillis())) +if (store == null || !session.isValid()) { return; +} try { if (System.getSecurityManager() != null){ @@ -1073,27 +1070,6 @@ /** - * Indicate whether the session has been idle for longer - * than its expiration date as of the supplied time. - * - * FIXME: Probably belongs in the Session class. - */ -protected boolean isSessionStale(Session session, long timeNow) { - -int maxInactiveInterval = session.getMaxInactiveInterval(); -if (maxInactiveInterval >= 0) { -int timeIdle = // Truncate, do not round up -(int) ((timeNow - session.getLastAccessedTime()) / 1000L); -if (timeIdle >= maxInactiveInterval) -return true; -} - -return false; - -} - - -/** * Invalidate all sessions that have expired. */ protected void processExpires() { @@ -1106,10 +1082,9 @@ for (int i = 0; i < sessions.length; i++) { StandardSession session = (StandardSession) sessions[i]; -if (!session.isValid()) -continue; -if (isSessionStale(session, timeNow)) +if (!session.isValid()) { session.expire(); + } } } 1.11 +5 -12 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session/StandardManager.java Index: StandardManager.java === RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session/StandardManager.java,v retrieving revision 1.10 retrieving revision 1.11 diff -u -r1.10 -r1.11 --- StandardManager.java 8 Jul 2003 06:28:02 - 1.10 +++ StandardManager.java 19 Aug 2003 00:49:58 - 1.11 @@ -813,14 +813,7 @@ for (int i = 0; i < sessions.length; i++) { StandardSession session = (StandardSession) sessions[i]; -if (!session.isValid()) -continue; -int maxInactiveInterval = session.getMaxInactiveInterval(); -if (maxInactiveInterval < 0) -continue; -int timeIdle = // Truncate, do not round up -(int) ((timeNow - session.getLastAccessedTime()) /